After a lot of research about authentication and authorization, I reached the following but not sure if what I reached is the correct thing so please help me out:

Authentication is who you are. Authorization is what can you do!

OAuth is for Authorization

OpenID is for Authentication

BUT you can use OpenID Connect which is an extra layer on top of OAuth2 to achieve an Authorization with a pseudo Authentication (we assume that if this person has rights to do this then they are the right person)

So using OpenID Connect is not the best thing to do since it's not an actual Authentication but then I searched some more for best ways to Authenticate and I didn't find anything but HTTP Basic(With SSL to get rid of man in the middle attack) or API Keys which both aren't that secure technically.

I'm kind of lost if I actually understood these concepts correctly and what should I actually use.

1 Answer
1

OpenID Connect is a federated identity protocol. Importantly, it defines the id_token which is an identity assertion that is analogous to a SAML assertion. It tells you who authenticated (i.e. the subject), who is the issuer of the assertion (i.e. the IDP), how the user authenticated (i.e. the acr or AuthnContextClassRef), when the user was authenticated, when the assertion expires, and many more important details. OAuth does not define such an identity assertion. SAML and OpenID Connect also define "metadata"--i.e. how the identity provider and relying party define the endpoint, keys, and crypto needed to validate an assertion. For example, how was the id_token signed? With what signing algorithm? OAuth has no comment on this topic. So without OpenID Connect, you would have to make up all this stuff yourself and define it. OpenID Connect standardizes this idenitty protocol using OAuth, so we can have standard client software and IDP implemenations that are interoperable. It would be a sad world if you needed to know a different authentication API for every IDP. Read the old OReilly book on OAuth that tells you how to authenticate against Google, and then how to authenticate against Facebook just to get an idea how bad that world would be! And that was only two websites.